b"    U.S. DEPARTMENT OF EDUCATION\n   OFFICE OF THE INSPECTOR GENERAL\n\n\n\n\n   Review of Year 2000 Compliance for\n Processing, Delivery and Administration\n Of Student Financial Assistance Programs\n\n       Control Number S11-90016\n               July 1999\n\n\n\nMANAGEMENT INFORMATION REPORT\n                   Area Manager\n             Washington DC Field Office\n\x0c\x0c                   Review of Year 2000 Compliance for\n                Processing, Delivery, and Administration of\n                  Student Financial Assistance Programs\n\n                                  TABLE OF CONTENTS\n\nExecutive Summary............................................................................................. 1\n\nReview Results ................................................................................................... 5\n\n    ED Completed Implementation of Systems\n    Critical to Student Financial Assistance .......................................................... 5\n\n    Y2K Risk Assessment for Critical Systems .................................................... 7\n\n    ED Conducted Extensive Outreach to External Trading Partners,\n    But Risks Remain........................................................................................... 9\n\n    ED Needs to Complete and Test\n    Contingency Plans......................................................................................... 13\n\n    ED Needs to Establish Controls to\n    Ensure Continued Y2K Compliance .............................................................. 16\n\nRecommendations ............................................................................................ 17\n\nManagement Response ..................................................................................... 17\n\nBackground ...................................................................................................... 18\n\nObjective, Scope and Methodology .................................................................... 19\n\nExhibit 1: OIG Risk Assessment of Critical Systems .......................................... 22\n\nAppendix A: System Descriptions ..................................................................... 25\n\nAppendix B: Management Response ................................................................. 28\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 Compliance for Processing, Delivery, and Administration of SFA Programs   July 1999\n\n\n\n                                       Executive Summary\nWe reviewed the U.S. Department of Education\xe2\x80\x99s (ED\xe2\x80\x99s) Year 2000 (Y2K) compliance for\nprocessing, delivery, and administration of grant, loan, and work assistance programs. This report is\nthe second of two Office of Inspector General (OIG) reports concerning the Y2K issue required by\nthe Higher Education Amendments of 1998 (HEA). In January 1999, OIG published a risk\nassessment of the systems and hardware under ED\xe2\x80\x99s management. In our current review, we assessed\nthe status of 13 mission critical systems critical to the delivery of student financial assistance (SFA)\nand reviewed the ED\xe2\x80\x99s progress in addressing risk areas identified in our previous report.\nManagement Information Reports are intended to provide information for decision-makers and are\nnot audit or investigative reports.\n\nED substantially completed implementation and end-to-end testing of its internal systems and has\ndevoted significant effort to reduce the risk associated with external trading partners and contingency\nplanning. However, work remains to mitigate continuing risks. We are especially concerned with the\nY2K readiness status of postsecondary institutions. Outreach by Congress is warranted to augment\nED\xe2\x80\x99s extensive attempts to have schools take steps to reduce their risk of Y2K failure. ED will also\nneed to take steps to 1) reduce the Y2K risks associated with other external trading partners on\nwhom it must rely, 2) complete and test contingency plans, and 3) establish controls to ensure\ncontinued Y2K compliance.\n\nED Completed Implementation of Systems Critical to Student Financial Assistance\n\nIn assessing the status of ED\xe2\x80\x99s systems\xe2\x80\x99Y2K compliance, we relied on contractors performing\nindependent verification and validation (IV&V) procedures. We determined that these contractors\nwere adequately performing the IV&V process and that we could rely on their work. IV&V\ndocumentation indicates that the 13 systems completed validation, except for low-risk issues pending\ncompletion or IV&V review. End-to-end testing between ED systems and with external parties (other\nthan one-to-one testing with schools, guaranty agencies and their servicers) has been substantially\ncompleted. ED tested its ability to send and receive data from schools, guaranty agencies and their\nservicers in a simulated environment and has established test windows through September 1999 to\nallow these entities to perform actual one-to-one tests of their electronic interfaces.\n\nThe scope of our work did not include sufficient steps for OIG to verify independently the Y2K\ncompliance of ED\xe2\x80\x99s systems. However, Exhibit 1 presents our risk assessment for the 13 systems\nusing an adaptation of the Y2K Scorecard approach developed by the MITRE Corporation.\n\nED Conducted Extensive Outreach to External Trading Partners, but Risks Remain\n\nThe SFA delivery process involves a network of external trading parties, including approximately\n7000 postsecondary institutions, 6500 lenders and 36 guaranty agencies. Significant Y2K-related\nfailures at these entities could disrupt the processing, delivery, and administration of grants, loans and\nwork assistance provided through the SFA programs. ED has implemented extensive outreach efforts\nto promote awareness, provide technical assistance, and to learn about progress made by these\nentities.\n\n                                                       1\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 Compliance for Processing, Delivery, and Administration of SFA Programs   July 1999\n\n\n\n\nNo matter how extensive its outreach efforts, ED cannot ensure that its trading partners will become\nY2K compliant. These entities must take the steps necessary to mitigate Y2K risks for their\norganizations. ED is taking steps to understand the readiness of its trading partners and to implement\ncontingency plans to address potential failures. After analyzing available information on trading\npartner readiness, we assessed the risk that Y2K-related failures at lenders, guaranty agencies, and\npostsecondary institutions would disrupt the processing, delivery, and administration of the SFA\nprograms for student beneficiaries.\n\n\xe2\x80\xa2 Lenders \xe2\x80\x93 Low Risk: As of February 1999, approximately 96 percent of depository institutions\n  examined by the Federal Financial Institutions Examination Council were making satisfactory\n  progress.\n\n\xe2\x80\xa2 Guaranty Agencies \xe2\x80\x93 Low to Moderate Risk: During six OIG site visits from August 1998 to\n  March 1999, we noted issues regarding data exchanges, contingency planning and\n  systems/servicer changes. ED\xe2\x80\x99s Guarantor and Lender Oversight Service (GLOS) conducted site\n  visits in early 1999 at seven agencies and concluded that the agencies\xe2\x80\x99Y2K risk to the Federal\n  Family Education Loan Program ranged from low to moderate. Presently, GLOS and OIG plan to\n  conduct initial site visits at an additional nine guaranty agencies and one servicer and will revisit\n  two agencies.\n\n\xe2\x80\xa2 Postsecondary Institutions \xe2\x80\x93 High Risk: There is insufficient information to assess accurately\n  the readiness of postsecondary institutions, and the limited information available indicates that\n  they may be at risk. ED is conducting a voluntary survey of 6,614 schools. Preliminary results\n  from 653 or 9.9 percent of the survey population show that 46 percent of respondents do not\n  have a written Y2K plan. Additionally, 42 percent did not expect to complete their\n  implementation phase until after September 30, 1999. These early survey results raise a concern\n  that a significant percentage of postsecondary institutions may be at risk for Y2K-related failures.\n  Other factors that support our assessment of high risk include low participation by schools in\n  ED\xe2\x80\x99s testing windows and concerns we have about the readiness of school servicers.\n\nED Needs to Complete and Test Contingency Plans\n\nED has made substantial progress in developing its business continuity and contingency plans (BCCP)\nand submitted preliminary plans to OMB on March 31, 1999. ED revised and resubmitted its BCCP\non June 15, 1999, the date initially required by OMB. The current BCCP contains plans for eight SFA\nbusiness processes as well as plans for ED\xe2\x80\x99s network operations (EDNET) and its Central Automated\nProcessing System (EDCAPS). To prevent disruption of the SFA delivery process, however, ED will\nneed to continue its efforts to develop, test and refine its plans. Additionally, ED will need to\ncomplete prerequisite actions in 1999, resolve policy decisions regarding waivers of statutes and\nregulations, and ensure adequate funding for implementation of the plans.\n\nED Needs to Establish Controls to Ensure Continued Y2K Compliance\n\nED must ensure that existing and new systems continue to be Year 2000 compliant. The Y2K Project\n\n                                                       2\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 Compliance for Processing, Delivery, and Administration of SFA Programs   July 1999\n\n\n\nTeam distributed guidance for maintaining Year 2000 compliance for systems and data exchanges.\nThis guidance requires that all major releases of software or hardware upgrades for existing systems\nand all new systems must undergo a complete set of Year 2000 validation tests prior to acceptance.\nWe found that the first two phases of the new RFMS system were implemented before complete Y2K\ntests were conducted. Implementing systems before they are validated increases the risk that ED\xe2\x80\x99s\nsystems will not accurately process, deliver and administer the SFA programs. In the case of RFMS,\nthe Y2K tests are now being completed\n\nED\xe2\x80\x99s guidance on maintaining Year 2000 compliance states that principal offices will become fully\nresponsible for Year 2000 compliance of systems under their cognizance. The guide does not define\nan oversight role for the Y2K Project Team in the continued certification of systems and does not\nrequire the use of IV&V. These oversight functions were key controls established in the Y2K Project\nManagement Plan for the original certification of mission critical systems.\n\nRecommendations\n\nWe recommend that ED:\n\n\xe2\x80\xa2 Continue outreach activities to communicate Y2K issues and strategies to all sectors of the\n  postsecondary education community;\n\n\xe2\x80\xa2 Require all postsecondary institutions to test their data exchanges and ensure that all guaranty\n  agencies successfully complete the required testing with ED;\n\n\xe2\x80\xa2 Complete, test and refine its business continuity and contingency plans. Steps include soliciting\n  and addressing industry comments, securing adequate resources to implement the plans,\n  completing detail action plans, performing actions required prior to December 31, and\n  implementing risk mitigation plans;\n\n\xe2\x80\xa2 Implement a process for validating continued Y2K compliance of critical systems when\n  modifications are made. The process should include oversight by the Y2K Project Management\n  Team; and\n\n\xe2\x80\xa2 Initiate controls to limit system changes to those considered essential by the Information\n  Technology Investment Review Board for the period September 1999 to March 2000.\n\nWe also recommend that Congress:\n\n\xe2\x80\xa2 Promote Y2K awareness at postsecondary institutions in their districts and states; and\n\n\xe2\x80\xa2 Seek to build constituent support groups to help lagging institutions achieve Y2K readiness.\n\n\n\n\n                                                       3\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 Compliance for Processing, Delivery, and Administration of SFA Programs   July 1999\n\n\n\nManagement Response\n\nManagement agreed with the report\xe2\x80\x99s observations about areas that require ongoing efforts by ED.\nManagement\xe2\x80\x99s response, included as Appendix B, addresses ED\xe2\x80\x99s plans for implementing our\nrecommendations.\n\n\n\n\n                                                       4\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 Compliance for Processing, Delivery, and Administration of SFA Programs   July 1999\n\n\n\n\n                                                             Review Results\n                                  We reviewed the U.S. Department of Education\xe2\x80\x99s (ED\xe2\x80\x99s) Year\n                                  2000 (Y2K) compliance for processing, delivery, and\n                                  administration of grant, loan, and work assistance programs. We\n                                  assessed the status of 13 mission systems critical to the student\n                                  financial assistance (SFA) programs and reviewed ED\xe2\x80\x99s progress in\n                                  addressing risk areas identified in our January 1999 risk assessment\n                                  of systems and hardware under ED\xe2\x80\x99s management. Management\n                                  Information Reports are intended to provide information for use of\n                                  decision-makers and are not audit or investigative reports.\n\n                                  ED substantially completed implementation and end-to-end testing\n                                  of its internal systems and has devoted significant effort to reduce\n                                  the risk associated with external trading partners and contingency\n                                  planning. However, work remains to mitigate continuing risks. We\n                                  are especially concerned with the Y2K readiness status of\n                                  postsecondary institutions. Outreach by Congress is warranted to\n                                  augment ED\xe2\x80\x99s extensive attempts to have schools take steps to\n                                  reduce their risk of Y2K failure. ED will also need to take steps to\n                                  1) reduce the Y2K risks associated with other external trading\n                                  partners on whom it must rely, 2) complete and test contingency\n                                  plans, and 3) establish controls to ensure continued Y2K\n                                  compliance.\n\n                                       ED Completed Implementation of Systems\n                                        Critical to Student Financial Assistance\n                                  ED reports that it has completed renovation, validation and\n                                  implementation of the 13 systems critical for student financial\n                                  assistance delivery before the March 31, 1999 deadline set by\n                                  Office of Management and Budget (OMB) and the Higher\n                                  Education Act. These systems include:\n\n                                  1.   Direct Loan Central Database (DLCD)\n                                  2.   Direct Loan Origination System (DLOS)\n                                  3.   Direct Loan Servicing System (DLSS)\n                                  4.   Postsecondary Education Participants System (PEPS)\n                                  5.   Education\xe2\x80\x99s Central Automated Processing System (EDCAPS)\n                                  6.   Campus Based System (CBS)\n                                  7.   National Student Loan Data System (NSLDS)\n                                  8.   Pell Grant Recipients Financial Management System (PELL)\n                                  9.   Title IV Wide Area Network (TIVWAN)\n\n                                                       5\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 Compliance for Processing, Delivery, and Administration of SFA Programs    July 1999\n\n\n\n                                  10. Central Processing System (CPS)\n                                  11. Education\xe2\x80\x99s Local Area Network (EDNET)\n                                  12. Multiple Data Entry System (MDE)\n                                  13. Federal Family Education Loan Program System (FFEL)\n\nOIG Relied on Work                In assessing the status of ED\xe2\x80\x99s systems, we relied on the work of\nof Independent                    contractors performing independent verification and validation\nVerification and                  (IV&V) procedures. We determined that these contractors were\nValidation                        adequately performing the IV&V process and that we could rely on\nContractors                       their work in conducting our risk assessment. IV&V\n                                  documentation indicates that the 13 implemented systems\n                                  completed renovation and validation except for low risk issues\n                                  pending completion or IV&V review. In May 1999, GAO reported\n                                  that it reviewed the change control/quality control process, test\n                                  plans and test results for NSLDS, FFEL, and PELL systems. [Year\n                                  2000 Computing Challenge: Education Taking Needed Actions\n                                  But Work Remains, GAO/T-AIMD-99-180, May 12]. GAO stated\n                                  that it found adequate documentation supporting baseline,\n                                  regression, and future date testing for three systems it selected. The\n                                  scope of our work did not include sufficient steps for OIG to verify\n                                  independently the Y2K compliance of ED\xe2\x80\x99s systems.\n\nEnd-to-end Testing is             In our January 1999 report we noted that systems reported as\nSubstantially                     implemented were independently validated and put into production,\nComplete                          but had not completed end-to-end testing. In Year 2000\n                                  Computing Crisis: An Assessment Guide [GAO/AIMD-10.1.14]\n                                  and Year 2000 Computing Crisis: A Testing Guide [GAO/AIMD-\n                                  10.1.21] GAO recommends completion of end-to-end testing\n                                  before systems are considered implemented. End-to-end testing\n                                  between ED systems, and with external parties (except schools,\n                                  guaranty agencies and their servicers), has been substantially\n                                  completed except for a few exchanges affecting the Direct Loan\n                                  Origination System that are scheduled to occur by July 1999.\n\n                                  ED tested electronic data exchanges with schools, guaranty\nPostsecondary                     agencies and their servicers by simulation, testing the systems\xe2\x80\x99\nInstitution                       ability to send and receive data from external trading partners in a\nParticipation in                  simulated environment. ED has established test windows through\nTesting Windows Has               September 1999 to allow these entities to perform actual tests of\nBeen Low                          their electronic interfaces. Only 15 schools participated in the first\n                                  testing window of the DLOS that closed on May 21, 1999. Only\n                                  three of the schools passed the tests. In an effort to increase\n                                  participation, ED sent letters to approximately 50 higher education\n                                  associations requesting that they urge their members to participate\n                                  in testing with ED.\n\n                                                       6\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 Compliance for Processing, Delivery, and Administration of SFA Programs   July 1999\n\n\n\n\n                                                       Y2K Risk Assessment\n                                                       For Critical Systems\nRisk of ED\xe2\x80\x99s Systems\nand Hardware Not                  Overall, we conclude that the risk of ED\xe2\x80\x99s systems and hardware\nBeing Ready for Y2K               not being ready for Y2K has been reduced to low. In January 1999,\nHas Diminished                    we provided a risk assessment for the 13mission systems critical to\n                                  the SFA programs. Exhibit 1 presents our latest risk assessments\n                                  for these systems after analysis of documentation we received\n                                  through June 21, 1999. We assessed the level of risk outstanding\n                                  for each of the individual systems based on a review of the\n                                  following factors:\n\n                                  \xe2\x80\xa2   status of commercial off the shelf (COTS) software products;\n                                  \xe2\x80\xa2   status of the network and operating environment;\n                                  \xe2\x80\xa2   status of external interfaces;\n                                  \xe2\x80\xa2   time and resources available;\n                                  \xe2\x80\xa2   status of the validation process; and\n                                  \xe2\x80\xa2   status of the implementation process.\n\nSummary Risk                      We describe our methodology and source of supporting data in the\nProvides OIG\xe2\x80\x99s                    Scope and Methodology section of this report. Appendix A\nOverall Evaluation                provides a description of the 13 systems included in our\nfor Individual                    assessment. The Summary Risk column provides our overall\nSystems                           evaluation of the level of risk associated with the individual\n                                  systems. The following descriptions provide a guide for\n                                  interpreting the level of summary risk:\n\n                                  BLUE:            The system completed implementation and\n                                                   appropriate end-to-end testing. IV&V has reviewed\n                                                   resolution of all identified issues.\n\n                                  GREEN:           The system completed implementation and made\n                                                   significant progress in end-to-end testing. ED is\n                                                   resolving low risk issues identified by IV&V and/or\n                                                   system needs to complete end-to-end testing.\n                                                   Remaining issues are scheduled for completion\n                                                   before September 30, 1999.\n\n                                  YELLOW:          The system completed implementation and IV&V.\n                                                   However, the system requires monitoring because\n                                                   IV&V has identified moderate risk issues and/or\n                                                   there has not been significant progress in end-to-end\n                                                   testing. Remaining issues are scheduled for\n\n                                                       7\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 Compliance for Processing, Delivery, and Administration of SFA Programs     July 1999\n\n\n\n                                                   completion before September 30, 1999.\n\n                                  RED:             The system has not completed implementation\n                                                   and/or there are significant unmitigated risks that\n                                                   could affect program processing, delivery or\n                                                   administration.\n\n                                  There were no systems meeting our summary risk criteria for\nSummary Risks for                 YELLOW or RED. The following three systems had a summary\nAll Systems Were                  risk of BLUE: CPS, MDE, and TIVWAN. The remaining ten\nRated GREEN or                    systems had a summary risk rating of GREEN.\nBLUE\n                                  Although we assessed the summary risk as GREEN for the DLOS\nOIG Noted Pending                 and PELL systems, we did identify conditions meriting a YELLOW\nIssues Related to                 assessment for one of the risk columns:\nDLOS and PELL\n                                   \xe2\x80\xa2 DLOS: ED did not complete testing for several data\n                                     exchanges. These tests were originally scheduled for March\n                                     1999 and ED postponed them to July 1999.\n\n                                   \xe2\x80\xa2 PELL: ED implemented two phases of its new RFMS system\n                                     before completion of Y2K testing. These tests are currently\n                                     being completed.\n\n                                  Validation of the EDNET system was primarily based on vendor\nIV&V Recommended                  certifications of the hardware and software supporting ED\xe2\x80\x99s\nInteroperability Tests            network. The final IV&V report for EDNET reported that all\nfor EDNET                         validation issues had been resolved, however the contractor\n                                  recommended that ED conduct interoperability tests as an added\n                                  measure to reduce risk further. For purposes of our risk\n                                  assessment, we considered the system validated. However, we\n                                  assessed the interoperability tests as an issue related to the network\n                                  and operating environment that remains to be tracked. We\n                                  assessed a summary risk of GREEN for EDNET until the\n                                  interoperability tests are successfully completed. ED requested\n                                  approximately $1.1 million in emergency funding from OMB to\n                                  create a test facility and run the tests, however OMB did not\n                                  approve the funds. OMB recommended that ED lockdown the\n                                  current system and test over the July 4, 1999 weekend. ED\n                                  previously decided against a test on its production environment and\n                                  is now determining its best course of action to address the IV&V\n                                  recommendation.\n\n\n\n\n                                                       8\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 Compliance for Processing, Delivery, and Administration of SFA Programs   July 1999\n\n\n\n                                   ED Conducted Extensive Outreach to External\n                                       Trading Partners, but Risks Remain\n\nED Cannot Ensure                  The SFA delivery process involves a network of external trading\nthe Y2K Compliance                parties including approximately 7000 postsecondary institutions,\nof SFA Trading                    6500 lenders, and 36 guaranty agencies. Significant Y2K-related\nPartners                          failures at these entities could disrupt the delivery of the SFA\n                                  programs and put Federal funds at risk. No matter how extensive\n                                  its outreach efforts, ED cannot ensure that its trading partners will\n                                  become Y2K compliant. These entities must take the steps\n                                  necessary to mitigate Y2K risks for their organizations. There\n                                  remains a risk that these entities might have Y2K-related system\n                                  failures that affect their ability to perform their role in the SFA\n                                  program delivery process.\n\n                                  We reviewed ED\xe2\x80\x99s outreach and oversight efforts and assessed the\n                                  risks that failures at lenders, guaranty agencies and postsecondary\n                                  institution would disrupt the processing, delivery, or administration\n                                  of the SFA programs. We are especially concerned with the Y2K\n                                  readiness status of postsecondary institutions, which we believe\n                                  pose the greatest risk. Outreach by Congress is warranted to\n                                  augment ED\xe2\x80\x99s extensive attempts to have schools take steps to\n                                  reduce their risk of Y2K failure.\n\n                                  ED is taking steps to understand the readiness of its trading\n                                  partners and to implement contingency plans to address potential\n                                  failures. ED has performed extensive outreach efforts to promote\n                                  awareness, provide technical assistance, and to learn about progress\n                                  made by these entities. Additionally, ED has executed oversight\n                                  over progress made at guaranty agencies.\n\nOutreach to                       ED serves as the lead agency of the Education Sector Workgroup\npostsecondary                     of the President\xe2\x80\x99s Council on Year 2000 Conversion. Outreach\ncommunity                         efforts directed toward the postsecondary education community by\n                                  ED and the Workgroup include:\n\n                                  \xe2\x80\xa2 Dear Colleague Letters: ED issued Dear Colleague Letters to\n                                    schools describing the Y2K issue and their responsibilities.\n\n                                  \xe2\x80\xa2 Conference Participation: ED is promoting awareness of\n                                    Y2K issues at industry conferences including those sponsored\n                                    by the National Association of College and University\n                                    Business Officers (NACUBO) and the National Association of\n                                    Student Financial Aid Administrators (NASFAA).\n\n                                                       9\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 Compliance for Processing, Delivery, and Administration of SFA Programs   July 1999\n\n\n\n\n                                  \xe2\x80\xa2 Focus Groups \xe2\x80\x93 First Round: ED sponsored focus groups for\n                                    postsecondary institutions at sites throughout the country\n                                    during the period May 1998 to September 1998. The first\n                                    round of focus groups held were designed to 1) understand the\n                                    status of participants, 2) understand the obstacles faced by\n                                    organizations, 3) raise awareness of issues with participating\n                                    schools and 4) get input on how ED could best assist schools.\n\n                                  \xe2\x80\xa2 Year 2000 Readiness Kit: In November 1998, ED published\n                                    and distributed the Year 2000 Readiness Kit: A Compilation of\n                                    Y2K Resources for Schools, Colleges, and Universities. The\n                                    kit provides approaches and techniques for responding to the\n                                    Year 2000 challenge.\n\n                                  \xe2\x80\xa2 Interactive Teleconference: On December 7, 1998, ED\n                                    hosted an interactive teleconference titled Meeting the Year\n                                    2000 Computer Challenge: Schools, Colleges and the\n                                    Millennium Bug.\n\n                                  \xe2\x80\xa2 Focus Groups \xe2\x80\x93 Second Round: ED\xe2\x80\x99s second round of focus\n                                    groups is concentrated toward assisting schools in four sectors:\n                                     1) Historically Black Colleges and Universities, 2) Hispanic\n                                    Serving Institutions, 3) Tribally controlled colleges and 4) the\n                                    100 schools receiving the largest amounts of student financial\n                                    assistance. These focus groups concentrate on contingency\n                                    planning, the importance of testing and resources available.\n\n                                  \xe2\x80\xa2 Surveys of Postsecondary Institutions: ED conducted a\n                                    survey of Direct Loan Program schools from July to August\n                                    1998 and received the results of a survey of community colleges\n                                    conducted by the American Association of Community\n                                    Colleges. ED is currently conducting a survey of 6614\n                                    postsecondary institutions attended by students receiving\n                                    financial assistance. This survey will be completed in July 1999.\n\n\n                                  \xe2\x80\xa2 Year 2000 Website: ED maintains a Y2K website at\n                                    http://www.ed.gov/offices/OCIO/year/ that provides\n                                    information on ED\xe2\x80\x99s progress and provides tools and resources\n                                    for addressing the Y2K issue.\n\n                                  \xe2\x80\xa2 Testing Windows: ED has provided opportunities for\n                                    postsecondary institutions to test their data exchanges with ED\n\n\n                                                      10\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 Compliance for Processing, Delivery, and Administration of SFA Programs   July 1999\n\n\n\n                                      during voluntary test windows scheduled through September\n                                      1999. Participation by schools in the voluntary test windows\n                                      has been low. For example, only 15 schools participated in the\n                                      first testing window of the DLOS that closed on May 21, 1999.\n                                      Only 3 of the schools successfully completed the tests. In an\n                                      effort to increase participation, ED sent letters to approximately\n                                      50 higher education associations requesting that they urge their\n                                      members to participate in testing with ED.\n\nOutreach and                      ED has also addressed the readiness of lenders and guaranty\nOversight of Lenders              agencies. Outreach and oversight activities directed towards these\nand Guaranty                      organizations include:\nAgencies\n                                  \xe2\x80\xa2 Dear Colleague Letters: ED issued Dear Colleague Letters to\n                                    guaranty agencies and lenders describing the nature of the Y2K\n                                    issue and the entities\xe2\x80\x99responsibilities.\n\n                                  \xe2\x80\xa2 Conferences and Focus Groups: ED has participated at\n                                    conferences and focus groups for lenders and guaranty agencies\n                                    including the annual conference of the National Council of\n                                    Higher Education Loan Programs (NCHELP).\n\n                                  \xe2\x80\xa2 Financial Institutions Sector Workgroup: ED participates\n                                    as a member of the Financial Institutions Sector Workgroup of\n                                    the President\xe2\x80\x99s Council on Year 2000 Conversion. ED has not\n                                    surveyed the readiness of lenders directly, but relies on\n                                    information from bank examinations performed by agencies of\n                                    the Federal Financial Institutions Examination Council.\n\n                                  \xe2\x80\xa2 Oversight of Guaranty Agencies: ED\xe2\x80\x99s Guarantor and\n                                      Lender Oversight Service (GLOS) surveyed all 36 agencies\n                                      about their Y2K readiness and required agencies to submit their\n                                      Y2K readiness plans, contingency plans, and certification of\n                                      compliance. Additionally, GLOS hired a contractor to survey\n                                      all 36 guaranty agencies and perform on-site reviews at a\n                                      sample of guaranty agencies. OIG also conducted reviews at six\n                                      guaranty agencies.\nOIG Assessment of                 After analyzing available information on trading partner readiness,\nRisks Posed by                    we assessed the risk that failures at lenders, guaranty agencies, and\nLenders, Guaranty                 postsecondary institutions would disrupt the processing, delivery,\nAgencies and                      and administration of the SFA programs for student beneficiaries.\nPostsecondary                     Except for OIG\xe2\x80\x99s on-site work at guaranty agencies and school\nInstitutions                      servicers, our analysis is based on information provided by ED.\n\n                                  Lenders \xe2\x80\x93 Low Risk\n\n                                                      11\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 Compliance for Processing, Delivery, and Administration of SFA Programs    July 1999\n\n\n\n\n                                  ED participates in the Financial Institutions Sector Workgroup of\n                                  the President\xe2\x80\x99s Council on Year 2000 Conversion. The Workgroup\n                                  reported that as of February 28, 1999, approximately 96 percent of\n                                  depository institutions and credit unions examined by the Federal\n                                  Financial Institutions Examination Council were making\n                                  \xe2\x80\x9csatisfactory\xe2\x80\x9d progress.\n\n                                  Guaranty Agencies \xe2\x80\x93 Low to Moderate Risk\n\n                                  During six OIG site visits from August 1998 to March 1999, we\n                                  found agencies in varying stages of Y2K preparation and noted\n                                  issues regarding data exchanges, contingency planning and\n                                  systems/servicer changes. A contractor hired by ED\xe2\x80\x99s Guarantor\n                                  and Lender Oversight Service conducted site visits in early 1999 at\n                                  seven agencies and concluded that the agencies\xe2\x80\x99Y2K risk to the\n                                  Federal Family Education Loan Program ranged from low to\n                                  moderate. ED is implementing recommendations made by OIG to\n                                  reduce risk associated with Guaranty Agencies. For example, ED\n                                  has required Guaranty Agencies to test their exchanges with ED\n                                  and is developing guidance for end-to-end testing and contingency\n                                  planning. During June through August 1999, GLOS and OIG plan\n                                  to conduct initial site visits at an additional nine guaranty agencies\n                                  and one servicer and will revisit two agencies.\n\n                                  Postsecondary Institutions \xe2\x80\x93 High Risk\n\n                                  We assess the risk as high because there is insufficient information\n                                  to assess adequately the readiness of postsecondary institutions and\n                                  the limited information available indicates that they may be at risk.\n                                  The data gathered from the two surveys completed in 1998 is now\n                                  dated and was not representative of the entire population of schools\n                                  participating in the SFA programs.\n\n                                  ED is conducting a voluntary survey of 6,614 postsecondary\n                                  institutions. Although the survey has not been completed,\n                                  preliminary results from 653 or 9.9 percent of the survey\n                                  participants may indicate potential risks. As of June 11, 1999, 46\n                                  percent of the 653 respondents indicated that they did not have a\n                                  written plan for achieving Y2K compliance. Additionally, 42\n                                  percent reported that they did not expect to complete their\n                                  implementation phase until after September 30, 1999. These early\n                                  survey results raise a concern that a significant percentage of\n                                  postsecondary institutions may be at risk for Y2K-related failures.\n\n\n                                                      12\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 Compliance for Processing, Delivery, and Administration of SFA Programs    July 1999\n\n\n\n                                  Other factors that support our assessment of high risk include the\n                                  low participation by schools in ED\xe2\x80\x99s voluntary testing windows and\n                                  concerns we have about the readiness of school servicers. Only 15\n                                  schools participated in ED\xe2\x80\x99s first testing window for DLOS.\n                                  Recent work we performed at school servicers indicates that some\n                                  may not be adequately addressing the Y2K issue. One large\n                                  servicer did not have a Y2K plan and did not begin a Y2K project\n                                  until after we contacted it to announce our planned visit.\n\n\n                                                   ED Needs to Complete and\n                                                    Test Contingency Plans\n\nSubstantial Progress              OIG monitored the Office of Student Financial Assistance\nMade in Developing                Program\xe2\x80\x99s (OSFAP) efforts to develop Business Continuity and\nBusiness Continuity               Contingency Plans (BCCP) for core business processes affecting\nand Contingency                   the processing, delivery and administration of the SFA programs.\nPlans                             We also gained an understanding of the progress made in\n                                  developing contingency plans for the EDNET and EDCAPS\n                                  systems. ED has made substantial progress in developing its\n                                  business continuity and contingency plans (BCCP) and submitted\n                                  preliminary plans to OMB on March 31, 1999. The plans were\n                                  further refined and resubmitted on June 15, 1999, the date plans\n                                  were initially required by OMB Memorandum M-99-16. To\n                                  prevent disruption of the SFA delivery process, however, ED will\n                                  need to continue its efforts to develop, test and refine its plans.\n\nED Expects to Modify              ED\xe2\x80\x99s current BCCP contains plans for eight SFA business\nPlans to Address                  processes. These plans are not final and ED expects to modify them\nIndustry Comments                 as it further consults with business partners and identifies changes\nand Testing Results               required as a result of testing. Additionally, ED will need to\n                                  complete action items scheduled during 1999 to enable\n                                  implementation of the plans in the event of Y2K-related failures.\n\n                                  OSFAP began its contingency planning process in August 1998.\n                                  OSFAP assembled teams to prepare plans for the following eight\n                                  critical business processes:\n\n                                  \xe2\x80\xa2   Student Aid Application and Eligibility Determination;\n                                  \xe2\x80\xa2   Student Aid Origination and Disbursement Process;\n                                  \xe2\x80\xa2   Student Enrollment Tracking and Reporting;\n                                  \xe2\x80\xa2   FFEL Lender and Guaranty Agency Payments;\n                                  \xe2\x80\xa2   Repayment and Collection;\n                                  \xe2\x80\xa2   Institutional Eligibility and Monitoring;\n\n                                                      13\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 Compliance for Processing, Delivery, and Administration of SFA Programs   July 1999\n\n\n\n                                  \xe2\x80\xa2 Customer Service and Communication; and\n                                  \xe2\x80\xa2 FFEL Origination, Disbursement, Repayment and Collection.\n\n\n                                  Similar efforts were established by the Office of Chief Financial and\n                                  Chief Information Officer for the development of BCCPs for\n                                  EDNET and EDCAPS.\n\nED Follows GAO                    The plans are being developed using the four-phase process\nGuidance                          recommended by GAO in Year 2000 Computing Crisis: Business\n                                  Continuity and Contingency Planning [GAO/AIMD-10.1.19]. The\n                                  phases include initiation, business impact analysis, contingency\n                                  planning and testing. OIG provided advisory and assistance services\n                                  to the contingency planning teams developing the plans by\n                                  participation at team meetings and providing comments on draft\n                                  plans.\n\nED Must Complete                  We reviewed the March 1999 BCCPs for the SFA core business\nand Execute BCCP                  processes and recommended that OSFAP revise their test plans to\nTest Plans                        ensure they were comprehensive. We recommended that the teams\n                                  provide more detailed descriptions of testing procedures, describe\n                                  how test data will be developed, and review cases where testing\n                                  was not planned. Additionally, we noted that the number of planned\n                                  test transactions might not provide an adequate basis for\n                                  determining the accurateness of the alternative procedures. OSFAP\n                                  considered our comments and made changes to the plans submitted\n                                  on June 15 to OMB. We have been informed that OSFAP plans to\n                                  hire a contractor to review the adequacy of test plans; facilitate and\n                                  observe the testing; and evaluate the results of the testing.\n\n                                  The EDCAPS plan was tested during March 1999 using a Desktop\n                                  approach. Staff members role played a simulated situation\n                                  performing the manual preparation of forms and spreadsheets and\n                                  the physical passing of information among offices. This testing did\n                                  not include testing the ability to process high volumes of\n                                  transactions. The EDNET plan was preliminarily tested by a\n                                  walkthrough of the plan\xe2\x80\x99s assumptions, roles, and responsibilities.\n                                  The EDNET systems manager is responsible for developing a\n                                  detailed test plan for each class of failure scenario and expects to\n                                  complete testing by September 30, 1999.\n\nOther Required                    In addition to testing, OSFAP needs to take additional actions\nActions                           before December 31, 1999 to ensure that the BCCPs are complete\n                                  and ready to be implemented. We noted the following actions that\n                                  need to be taken:\n\n                                                      14\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 Compliance for Processing, Delivery, and Administration of SFA Programs   July 1999\n\n\n\n\n                                  \xe2\x80\xa2 Complete Prerequisite Actions: Some of the plans include\n                                    prerequisite actions that must be completed including the\n                                    development of detailed procedures, the procurement or\n                                    modification of contracts, training, and the execution of risk\n                                    mitigation strategies. ED will need to monitor the plans to\n                                    ensure that required actions are taken.\n\n                                  \xe2\x80\xa2 Resolve Policy Decisions: The plans include waivers of\n                                    statutes or regulations that may need to be approved. One\n                                    example includes ED\xe2\x80\x99s plan to prefund institutions in December\n                                    1999, which has not been approved by OMB. OSFAP informed\n                                    us that they also expect representatives from the FFEL\n                                    community to present proposals to ED for waivers of statutes\n                                    and regulations.\n\n                                  \xe2\x80\xa2 Complete Cost Estimates and Secure Funding: In our\n                                    report Funding the Year 2000 Conversion, A Report on ED\xe2\x80\x99s\n                                    Y2K Cost Estimates [Report Number 11-80011, December\n                                    1998] we recommended that ED coordinate a funding strategy\n                                    to ensure that costs, including contingencies, are sufficiently\n                                    funded. In June 1999, OSFAP provided OIG with a\n                                    contingency plan cost estimate showing total anticipated costs\n                                    for each business process. OSFAP estimated the need for\n                                    approximately $1.7 million in fiscal year 2000 to fund\n                                    implementation of the plans. OIG has not reviewed the\n                                    reasonableness of this estimate, but has requested supporting\n                                    documentation. The EDNET and EDCAPS contingency plans\n                                    do not include cost estimates. ED needs to complete cost\n                                    estimates for implementing the contingency plans and ensure\n                                    that funding is available.\n\n\n\n                                      ED Needs to Establish Controls to Ensure\n                                           Continued Y2K Compliance\n                                  Although ED completed implementation of the 13 critical systems\n                                  involved in SFA delivery, it must ensure that existing and new\n                                  systems continue to be Year 2000 compliant. Systems components\n                                  frequently change as new software versions are released, existing\n                                  software is replaced, hardware is upgraded, and as new systems are\n                                  developed to meet changing management and legislative\n                                  requirements. ED has systems development initiatives and systems\n                                  enhancements planned for 1999 that must be monitored to ensure\n\n                                                      15\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 Compliance for Processing, Delivery, and Administration of SFA Programs   July 1999\n\n\n\n                                  they do not negatively affect its Y2K readiness.\n\nNew RFMS                          In February 1999, the Y2K Project Team distributed guidance for\nImplemented Before                maintaining Year 2000 compliance for systems and data exchanges.\nY2K Tests Completed                This guidance includes the requirement that all major releases of\n                                  software or hardware upgrades for systems, and all new systems,\n                                  must undergo a complete set of Year 2000 validation tests prior to\n                                  acceptance. We found that the first two phases of the new\n                                  Recipient Financial Management System (RFMS) system were\n                                  implemented before complete Y2K tests were conducted.\n                                  Implementing systems before they are validated increases the risk\n                                  that ED\xe2\x80\x99s systems will not accurately process, deliver and\n                                  administer the SFA programs. In the case of RFMS, the Y2K tests\n                                  are now being completed, however ED should establish controls to\n                                  ensure that systems are validated before being put into production.\nGuidance for\nMaintaining Y2K                   ED\xe2\x80\x99s guidance on maintaining Year 2000 compliance states that\nCompliance Should                 principal offices will become fully responsible for Year 2000\nbe Improved                       compliance of systems under their cognizance. The guide does not\n                                  define an oversight role for the Y2K Project Team in the continued\n                                  certification of systems and hardware nor require the use of IV&V.\n                                   These oversight and review functions were key controls\n                                  established in the Y2K Project Management Plan for the original\n                                  certification of mission critical systems. We believe that ED should\n                                  implement these controls for ensuring continued compliance of\n                                  critical systems.\n\n\n\n\n                                                           Recommendations\n\n                                  We recommend that ED:\n\n                                  \xe2\x80\xa2 Continue outreach activities to communicate Y2K issues and\n                                    strategies to all sectors of the postsecondary education\n                                    community;\n\n                                  \xe2\x80\xa2 Require all postsecondary institutions to test their data\n                                    exchanges and ensure that all guaranty agencies successfully\n                                    complete the required testing with ED;\n\n\n                                                      16\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 Compliance for Processing, Delivery, and Administration of SFA Programs   July 1999\n\n\n\n                                  \xe2\x80\xa2 Complete, test and refine its business continuity and\n                                    contingency plans. Steps should include soliciting and\n                                    addressing industry comments, securing adequate resources to\n                                    implement the plans, completing detail action plans, performing\n                                    actions required prior to December 31, and implementing risk\n                                    mitigation plans;\n\n                                  \xe2\x80\xa2 Implement a process for validating continued Y2K compliance\n                                    of critical systems when modifications are made. The process\n                                    should include oversight by the Y2K Project Management\n                                    Team; and\n\n                                  \xe2\x80\xa2 Initiate controls to limit system changes to those considered\n                                    essential by the Information Technology Investment Review\n                                    Board for the period September 1999 to March 2000.\n\n                                  We also recommend that Congress:\n\n                                  \xe2\x80\xa2 Promote Y2K awareness at postsecondary institutions in their\n                                    districts and states; and\n\n                                  \xe2\x80\xa2 Seek to build constituent support groups to help lagging\n                                    institutions achieve Y2K readiness.\n\n                                                      Management Response\n                                  Management agreed with the report\xe2\x80\x99s observations about areas that\n                                  require ongoing efforts by ED. Management\xe2\x80\x99s response, included\n                                  as Appendix B, addresses ED\xe2\x80\x99s plans for implementing our\n                                  recommendations.\n\n\n                                                                Background\nHEA Requirements                   This Year 2000 readiness report is the second of two OIG reports\nConcerning Y2K                     concerning the Year 2000 issue required by the Higher Education\n                                   Amendments of 1998 (HEA). In January 1999, OIG published a\n                                   risk assessment of the systems and hardware under ED\xe2\x80\x99s\n                                   management. This report fulfils the requirement to report on the\n                                   results of our review of ED\xe2\x80\x99s Year 2000 compliance for processing,\n                                   delivery, and administration of grant, loan, and work assistance\n                                   programs.\n\n                                   The HEA required the Secretary of Education to \xe2\x80\x9ctake such actions\n\n                                                      17\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 for Processing, Delivery, and Administration of SFA Programs              July 1999\n\n                                  as necessary to ensure that all internal and external systems,\n                                  hardware, and data exchange infrastructure administered by ED\n                                  that are necessary for the processing, delivery, and administration\n                                  of the grant, loan and work assistance are Year 2000 compliant by\n                                  March 31, 1999, such that there will be no business interruption\n                                  after December 31, 1999.\xe2\x80\x9d This deadline for systems supporting\n                                  higher education programs is consistent with the Office of\n                                  Management and Budget\xe2\x80\x99s requirement that agencies complete\n                                  their Y2K compliance for all systems by March 31, 1999.\n\nResults of OIG Y2K                The Y2K issue arises from the inability of computer systems to\nRisk Assessment                   store or process dates beyond December 31, 1999. Computer\n                                  systems that use a two digit date field (i.e. \xe2\x80\x9c99\xe2\x80\x9d for the year 1999)\n                                  may not be able to recognize \xe2\x80\x9c00\xe2\x80\x9d as the year 2000. Without\n                                  renovation, these systems may fail or produce erroneous results.\n                                  ED is currently taking steps to mitigate the risk of the Year 2000\n                                  (Y2K) issue affecting its computer systems and programs.\n\n                                  In January 1999, OIG reported that the risk of ED\xe2\x80\x99s systems and\n                                  hardware not being ready for Y2K had been significantly\n                                  diminished. At the time, 10 of the 13 systems critical in the\n                                  delivery of SFA had been reported by ED as renovated, validated\n                                  and implemented. The remaining 3 systems were expected to be\n                                  implemented by the March 31, 1999 deadline.\n\n                                  We identified four areas of risk that warranted continued\n                                  monitoring. These areas included:\n\n                                  \xe2\x80\xa2 End-to-End Testing: ED\xe2\x80\x99s end-to-end test plan appeared\n                                    complete and was in the process of being implemented, but was\n                                    not expected to be complete until Summer 1999.\n                                  \xe2\x80\xa2 External Trading Partners: ED had increased the SFA\n                                    community\xe2\x80\x99s Y2K awareness and invited all institutions to test\n                                    their data exchanges during \xe2\x80\x9cwindows\xe2\x80\x9d of opportunity. Despite\n                                    this effort, ED should anticipate that some trading partners may\n                                    not achieve Y2K compliance.\n\n                                  \xe2\x80\xa2 Contingency Planning: ED expected to have contingency plans\n                                    established by March 31, 1999, and tested by July 1, 1999.\n\n                                  \xe2\x80\xa2 New Systems/Functionality: - ED had several development\n                                    initiatives and systems enhancements planned for 1999 that\n                                    must be monitored to ensure that they do not negatively affect\n                                    its Y2K readiness.\n\n                                  In March 1999, OMB upgraded ED to its listing of Tier Three\n\n                                                      18\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 for Processing, Delivery, and Administration of SFA Programs             July 1999\n\n                                  agencies making adequate progress in preparing for the Year 2000.\n                                  Until December 1998, OMB classified ED as a Tier One agency not\n                                  evidencing adequate progress. In December 1998, OMB upgraded\n                                  ED to a Tier Two agency where there was evidence of progress,\n                                  but ongoing concern.\n\n                                  Success of ED\xe2\x80\x99s Year 2000 process is critical. Failure to adequately\n                                  prepare for the Year 2000 could result in significant disruptions in\n                                  the delivery of student assistance, such as the inability to originate\n                                  new student loans, pay guaranty agency and lender claims, and\n                                  administer education grants. These negative outcomes can be\n                                  avoided by ED\xe2\x80\x99s implementation of Year 2000 compliant systems\n                                  and by the development of strong contingency plans to ensure\n                                  uninterrupted service.\n\n                                             Objective, Scope and Methodology\nReport on Y2K\nCompliance of Grant,              Our objective was to review ED\xe2\x80\x99s Y2K compliance for processing,\nLoan, and Work                    delivery, and administration of grant, loan, and work assistance\nAssistance Programs               programs as required by the HEA. We assessed the status of 13\n                                  systems critical to the delivery of student financial assistance (SFA)\n                                  and reviewed ED\xe2\x80\x99s progress in addressing risk areas identified in\n                                  our previous report. Management Information Reports are intended\n                                  to provide information for use of decision-makers and are not audit\n                                  or investigative reports.\nWe Identified 13\nSystems Critical to               We included 13 of ED\xe2\x80\x99s mission critical system in our assessment.\nSFA Delivery                      These systems include eleven SFA program specific systems\n                                  operated by the Office of Student Financial Assistance. The\n                                  remaining two systems are ED\xe2\x80\x99s financial system and its\n                                  Departmentwide network managed by the Chief Information\n                                  Officer and Chief Financial Officer. Appendix A provides a listing\n                                  of the thirteen systems and their related functions.\nMITRE Corporation\xe2\x80\x99s               We used the Y2K Scorecard approach developed by the MITRE\nY2K Scorecard                     Corporation and included on its website as public information. The\n                                  MITRE Corporation developed the Y2K Scorecard as a\n                                  management tool for providing standard, periodic high level\n                                  reporting on the risk that the Year 2000 problems will affect the\n                                  missions of an organization\xe2\x80\x99s systems. The Scorecard identifies the\n                                  level of risk for a number of risk drivers and it gives a snapshot of\n                                  the progress each system has made in resolving its Y2K problems.\n                                  The Scorecard uses four color codes to indicate the level of risk.\n                                  The color codes, from lower to higher risk are: BLUE, GREEN,\n                                  YELLOW and RED. MITRE designed the scorecard to be\n                                  adaptable to the needs of the organization and to the specific\n\n                                                      19\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 for Processing, Delivery, and Administration of SFA Programs            July 1999\n\n                                  concerns of the systems used by the organization. We identified risk\n                                  drivers affecting the readiness of the SFA systems and defined the\n                                  color codes based on progress expected by June 30, 1999. We\n                                  define the risk drivers and their color coding in Exhibit 1.\nReliance on the IV&V\nProcess                           Information supporting our assessments was primarily gathered\n                                  from our monitoring of the IV&V process. We determined that\n                                  these contractors were adequately performing the IV&V process\n                                  and that we could rely on their work in conducting our risk\n                                  assessment. To gain this reliance and gather risk information, we:\n\n                                  \xe2\x80\xa2 Gained an understanding of the IV&V services by reviewing the\n                                    contracts and planning documentation and discussing the\n                                    process with ED and contractor personnel;\n\n                                  \xe2\x80\xa2 Observed the IV&V process by attending meetings,\n                                    participating in IV&V test visits, and interviewing contractor\n                                    staff; and\n\n                                  \xe2\x80\xa2 Reviewed monthly status reports, system closure plans, draft\n                                    and final IV&V reports, and other appropriate documentation.\nOIG Procedures for\nReviewing Progress                We assessed the progress made in addressing four risk areas\nin Addressing Risk                identified in our January 1999 report: end-to-end testing, external\nAreas                             trading partners, contingency planning, and new systems\n                                  implementation. We conducted interviews with ED and IV&V\n\n\n\n\n                                                      20\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 for Processing, Delivery, and Administration of SFA Programs         July 1999\n\n                                  employees and reviewed documents supporting ED progress in\n                                  these areas, including:\n\n                                  \xe2\x80\xa2 Monthly and Quarterly Status reports submitted by ED to\n                                    OMB;\n\n                                  \xe2\x80\xa2 Y2K Project documentation, including the ED\xe2\x80\x99s Y2K\n                                    management plan, data exchange testing plans and results, draft\n                                    contingency plans, and documents disseminated to trading\n                                    partners as part of the ED\xe2\x80\x99s outreach efforts;\n\n                                  \xe2\x80\xa2 ED and GAO testimony concerning ED\xe2\x80\x99s Y2K progress;\n\n                                  Additionally, we evaluated information gathered during other OIG\n                                  monitoring and audit efforts including:\n\n                                  \xe2\x80\xa2 OIG\xe2\x80\x99s Management Information Report Review of Year 2000\n                                    Related Risk to Programs Administered under Title IV of the\n                                    Higher Education Act [Report Number 11-80014];\n\n                                  \xe2\x80\xa2 OIG audit reports including: The Status of the U.S.\n                                    Department of Education\xe2\x80\x99s Readiness for Year 2000 [Report\n                                    Number 11-70011, March 1998] and Funding the Year 2000\n                                    Conversion, A Report on ED\xe2\x80\x99s Y2K Cost Estimates [Report\n                                    Number 11-80011, December 1998];\n\n                                  \xe2\x80\xa2 OIG Management Information Report: Year 2000 Readiness at\n                                    Guaranty Agencies [Report Number 11-80015] and reviews at\n                                    three school servicers.\n\n                                  \xe2\x80\xa2 OIG attendance at Y2K steering committee meetings conducted\n                                    by the Deputy Secretary; and\n\n                                  \xe2\x80\xa2 OIG participation in ED\xe2\x80\x99s contingency planning teams.\n\n\n\n\n                                                      21\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 for Processing, Delivery, and Administration of SFA Programs                   July 1999\n\n\n                                      Exhibit 1\n                        OIG Risk Assessment of Critical Systems\n\n System    Principal Summary         COTS        Network &       External    Time and Validation     Implemen-\n  Name       Office    Risk         Software     Operating      Interfaces   Resources                 tation\n                                                Environment\n\nEDCAPS      OCFO\n\n\n EDNET       OCIO\n\n\n  CBS       OSFAP\n\n\n  CPS       OSFAP\n\n\n DLCD       OSFAP\n\n\n  DLSS      OSFAP\n\n\n DLOS       OSFAP\n\n\n  FFEL      OSFAP\n\n\n  MDE       OSFAP\n\n\n NSLDS      OSFAP\n\n\n  PEPS      OSFAP\n\n\n  PELL      OSFAP\n\n\nTIVWAN OSFAP\n\n\n\n\n                     BLUE                      GREEN                         YELLOW                 RED\n\n\n\n\n                                                      22\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 for Processing, Delivery, and Administration of SFA Programs                            July 1999\n\n\n                                              Exhibit 1 (Continued)\nSummary Risk: Overall evaluation of the level of risk for individual system based on analysis of following risk factors.\n\nBlue:      System completed implementation and appropriate end-to-end testing. IV&V reviewed resolution of all issues.\n\nGreen:     System completed implementation and made significant progress in end-to-end testing. ED is resolving low risk\n           issues identified by IV&V and/or system needs to complete end-to-end testing. Remaining issues are scheduled for\n           completion by September 30, 1999.\n\nYellow:    System completed implementation and IV&V, however the system requires monitoring because IV&V identified\n           moderate risk issues and/or there has not been significant progress in end-to-end testing. Remaining issues are\n           scheduled for completion before September 30, 1999.\n\nRed:       System has not completed implementation and/or there are significant unmitigated risks that could affect program\n           processing, delivery, or administration.\n\nCOTS Application Software: Risks associated with COTS application software.\n\nBlue:      System meets the \xe2\x80\x9cgreen\xe2\x80\x9d criteria, IV&V reviewed COTS documentation and no issues require resolution.\n\nGreen:     All COTS application software significant to program delivery have been certified by the manufacturer as compliant,\n           and the ED documented this certification in an inventory available for IV&V inspection.\n\nYellow:    COTS products significant to program delivery have not been certified as compliant or certification documentation\n           has not been maintained. Certification or replacement with compliant version is expected.\n\nRed:       COTS products significant to program delivery have not been certified as compliant or certification documentation\n           has not been maintained. Certification or replacement with a compliant version isn't expected.\n\nNetwork and Operating Environment: Risks related to the system\xe2\x80\x99s hardware, operating system(s), and networking\ncomponents required for successful operation of system.\n\nBlue:      System meets the \xe2\x80\x9cgreen\xe2\x80\x9d criteria, IV&V reviewed the network and operating environment documentation, and there\n           are no issues requiring resolution.\n\nGreen:     All network and operating environment components significant to program delivery were certified by manufacturer\n           as compliant, and ED documented this certification in an inventory available for IV&V inspection.\n\nYellow:    Some infrastructure components significant to program delivery have not been certified as compliant, or the\n           documentation has not been maintained. Certification or replacement with a compliant component is expected.\n\nRed:       At least one infrastructure component significant to program delivery wasn't certified by the manufacturer as\n           compliant, and certification or replacement with a compliant version isn't expected.\n\nExternal Interfaces: Risks related to data exchanges including exchanges with 1) other ED systems; 2) external parties\nother than program participants and 3) program participants such as schools, lenders and guaranty agencies.\n\nBlue:      The system meets the \xe2\x80\x9cgreen\xe2\x80\x9d criteria, IV&V reviewed the data exchange testing documentation, and there are no\n           issues requiring resolution.\n\nGreen:     All data exchanges with other ED systems and externalparties were tested with no issues requiring resolution. Data\n           exchanges with program participants were tested by simulating the participant\xe2\x80\x99s role (i.e. sending and receiving data\n           to and from the system) and testing opportunities are scheduled for program participants.\n\n\n                                                          23\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 for Processing, Delivery, and Administration of SFA Programs                             July 1999\n\n\n                                           Exhibit 1 (Continued)\n\nYellow:    At least one data exchange with ED or external party systems remains to be tested or outstanding issues identified\n           in testing need to be resolved. Outstanding issues are scheduled for resolution before September 30, 1999.\n\nRed:       At least one data exchange with ED or external party systems remains to be tested or outstanding\n           issues identified in testing need to be resolved.Outstanding issues are not scheduled for resolution before September\n           30, 1999 and require immediate management attention.\n\nTime/Resources: Risks related to the ED having sufficient time and resources (staff, funds, management support) to complete\nthe Y2K project successfully.\n\nBlue:      System has been implemented without outstanding issues or time/resources are adequate to resolve outstanding\n           issues. Management has scheduled resolution of outstanding issues and identified necessary resources.\n\nGreen:     Time and resources appear sufficient to resolve outstanding issues.\n\nYellow:    There are significant issues requiring management attention to ensure adequate resources are provided for timely and\n           successful completion of the project.\n\nRed:       Management has not committed to providing adequate resources, or there are external limitations thatwould prevent\n           adequate resources from being made available.\n\nValidation - Risks related to the timeliness or completeness of the IV&V process.\n\nBlue:      IV&V issued final report that indicated no outstanding issues to be resolved.\n\nGreen:     IV&V report issued with minor issues to be resolved. ED implemented recommendations but IV&V has not yet\n           reviewed their resolution.\n\nYellow:    IV&V issued with minor issues to be resolved. ED plans to implement recommendations by September 30, 1999.\n\nRed:       Final IV&V report issued, or IV&V has reported substantial concerns with the system\xe2\x80\x99s validation that have not been\n           resolved.\n\nImplementation - Risks related to the timely and successful implementation of the system.\n\nBlue:      The system has been implemented and EDhas completed Year 2000 Closeout Documentation with certifications from\n           System Manager, Principal Office Coordinator, Y2K Project Management Team Liaison, and Y2K Contract Support\n           Representative.\n\nGreen:     The system has been reported as implemented, however System Closeout Documentation has not yet been completed.\n           The IV&V report indicates no substantial issues remaining to be resolved.\n\nYellow:    System has been reported as implemented, however, substantial unresolved validation issues remain outstanding\n                                                                                                                       .\n\nRed:       ED has not reported system as implemented or substantial unresolved issues remain outstanding for system\n           reported as implemented.\n\n\n\n\n                                                          24\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 for Processing, Delivery, and Administration of SFA Programs         July 1999\n\n\n                                                 Appendix A\n                                              System Descriptions\nSystem Name             System Function\n\nED Central              EDCAPS is the ED\xe2\x80\x99s Central Automated Processing System maintained by the\nAutomated               Office of Chief Financial Officer. Its major components are:\nProcessing\nSystem                  \xe2\x80\xa2 Grant Administration and Payment System - Supports grant planning, pre-\n(EDCAPS)                  award and award management of ED programs, and controls payments for\n                          ED's programs.\n\n                        \xe2\x80\xa2 Financial Management Systems Software - Provides the functionality for\n                          general ledger, funds management, and all related reporting.\n\n                        \xe2\x80\xa2 Contracts and Purchasing Support Software \xe2\x80\x93 Supports contract and\n                          purchasing processes.\n\n                        \xe2\x80\xa2 The Recipient System \xe2\x80\x93 Serves as the customer database and validates\n                          whether an entity is eligible to receive funds.\n\nDept. of                EDNET consists of ED\xe2\x80\x99s network services provided by the Office of Chief\nEducation               Information Officer. EDNET includes hardware, software and network\nInfrastructure          control data that support ED\xe2\x80\x99s infrastructure. EDNET is responsible for\n(EDNET)                 maintaining four categories of systems components: 1) network elements\n                        (routers, switches, and hubs); 2) servers; 3) mail messaging; and 4)\n                        workstations directly connected to EDNET.\n\nCampus-Based            CBS supports all database maintenance and operations for the Federal Perkins\nSystem (CBS)            Loan, Federal College Work-Study, Supplemental Educational Opportunity\n                        Grant, Income Contingent Loan, National Science Scholars, and Default\n                        Reduction Assistance programs. The primary mission of CBS is to gather data\n                        from postsecondary institutions that participate in these programs, calculate\n                        awards according to legislatively prescribedformulae, and enter financial\n                        transaction information into ED's accounting system.\n\nCentral                 The primary role of the CPS is to process the Free Application for Federal\nProcessing              Student Aid (FAFSA) through a series of data checks, formula calculations\nSystem (CPS)            and verification checks with other Federal agencies. CPS then prints the\n                        information and eligibility results on the Student Assistance Report for mailing\n                        to the student or institution. CPS interacts with numerous other Federal\n                        systems, thousands of institutions, and millions of students. CPS is also\n                        responsible for the development, testing, and distribution of the EDExpress\n                        Software, FAFSA Express Software, EDE Express Tutorial Software, and the\n                        Pell Payment Software.\n\n                                                      25\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 for Processing, Delivery, and Administration of SFA Programs          July 1999\n\nSystem Name             System Function\n\nDirect Loan             These two systems jointly are responsible for the servicing of all Direct Loans\nServicing               and maintaining the ledger accounts for all financial transactions associated\nSystem (DLSS)           with the Direct Loan Program.\nand Central\nDatabase\n(DLCD)\n\nDirect Loan             This system supports the delivery of the Direct Loan Program by providing\nOrigination/            the front end processing of direct student loans with the participating\nConsolidation           institutions of higher education. The system enables the making of direct\nSystem                  student loans to eligible borrowers and then transmits the appropriate booked\n(DLOS)                  loan data to the Central Database and Loan Servicing systems. This system\n                        also provides for the consolidation of multiple student loans into a single\n                        direct consolidation loan.\n\nFederal                 The FFEL system supports the processing, delivery and administration of the\nFamily                  Federal Family Education Loan Program. FFEL is used to pay interest and\nEducation               special allowances to lenders and to pay default claims to guarantors. The\nLoan System             Debt Collection Subsystem supports collection of defaulted loans from all\n(FFEL)                  Title IV loan programs as well as Federal Pell Grant overpayments.\n\nMultiple Data           MDE provides all computer applications needed for the image-based\nEntry                   processing of FAFSAs and transmits application data to the CPS.\nSystem\n(MDE)\nNational                NSLDS is used to prescreen Title IV assistance applications to ensure no\nStudent Loan            ineligible students receive assistance. NSLDS collects student enrollment data\nData System             from schools and distributes it to the guaranty agencies and the Direct Loan\n(NSLDS)                 servicer to ensure all loans are repaid in a timely manner. NSLDS calculates\n                        cohort default rates for schools, guaranty agencies and lenders to ensure that\n                        only quality institutions are participating in Title IV programs. NSLDS allows\n                        schools and guaranty agencies access to online functions that assist them in\n                        tracking students\xe2\x80\x99Title IV assistance history. NSLDS supports policy and\n                        budget research conducted by various offices within ED, as well as the\n                        Congressional Budget Office.\n\nPostsecondary           PEPS maintains information on institutions participating in the Title IV\nEducation               programs. It is used primarily by oversight authorities to certify and audit\nParticipants            postsecondary institutions\xe2\x80\x99participation within the program. PEPS feeds data\nSystem (PEPS)           to NSLDS, to maintain current participation levels and for calculating default\n                        rates; and, to OCFO for maintenance of audits.\n\n\n\n\n                                                      26\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 for Processing, Delivery, and Administration of SFA Programs         July 1999\n\nSystem Name             System Function\n\nPell Grant              PELL stores program information on post-secondary institutions and on\nRecipient               recipients. It provides fund accountability and control information and source\nFinancial               data for program budgeting and evaluation.\nManagement\nSystem (PELL)\n\nTitle IV Wide           TIV WAN provides the network link from institutions to ED\xe2\x80\x99s systems, i.e.,\nArea Network            CPS, NSLDS, Pell, and DLOS, for delivery of student financial information.\n(TIVWAN)\n\n\n\n\n                                                      27\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 for Processing, Delivery, and Administration of SFA Programs   July 1999\n\n\n                                        Appendix B\n                                    Management Response\n\n\n\n\n                                                      28\n\x0cED OIG Management Information Report S11-90016\nReview of Year 2000 for Processing, Delivery, and Administration of SFA Programs   July 1999\n\n\n                                        Appendix B\n                                    Management Response\n\n\n\n\n                                                      29\n\x0c"